Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 06:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe
Resource
win7-20240221-en
7 signatures
150 seconds
General
-
Target
664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe
-
Size
449KB
-
MD5
664c1f524fdf0e1c9c50776c8bb7473d
-
SHA1
6cbc9e3baba1f969a2d121441eeb2ee2e96f10f7
-
SHA256
03ae00f9fec44e8a68cf1fa1ef776935c4a82646489ffa868c271e5546dab58f
-
SHA512
056919b9f275fdc5f8c75701e48d53179d0db518f08f505b312d4833e299e3f8b4b55d60bcb6eed732554fefe1286a7701a5488e546d14e969ed6212dd272bf5
-
SSDEEP
3072:XDne18TzZKc1NiVt19s2MJdTnFy3pLrA8wKV6ioa52oigI75ehCb2dbLriMos/C:jzMc1c99s2+dFopLrRjAi7C
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 4116 664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe 4116 664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe 1004 664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe 1004 664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe 1948 subsvsc.exe 1948 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe 2564 subsvsc.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1004 664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4116 wrote to memory of 1004 4116 664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe 90 PID 4116 wrote to memory of 1004 4116 664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe 90 PID 4116 wrote to memory of 1004 4116 664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe 90 PID 1948 wrote to memory of 2564 1948 subsvsc.exe 102 PID 1948 wrote to memory of 2564 1948 subsvsc.exe 102 PID 1948 wrote to memory of 2564 1948 subsvsc.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\664c1f524fdf0e1c9c50776c8bb7473d_JaffaCakes118.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
PID:1004
-
-
C:\Windows\SysWOW64\subsvsc.exe"C:\Windows\SysWOW64\subsvsc.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\subsvsc.exe"C:\Windows\SysWOW64\subsvsc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:81⤵PID:1504